1. Joshua Vince's Avatar
    I recently got a Q10 and I think it's great. However, I am wondering: how secure is this phone? How can I make it more secure? I study computer security as a hobby and I like to put it into practice with my devices.

    I have encryption turned on with a secure passphrase. My phone never leaves my person without locking it first. Therefore, I see no need to use Blackberry Protect. But how secure is this? Could a skilled hacker get into my phone? Could the NSA get into my phone? What if they fail 10 times and reset my phone - could they still recover my data somehow?

    Also, how secure is BBM on Blackberry 10? I expect my carrier to be able to read my texts and listen to phone calls, but can they read my BBM messages? Could a hacker read them? This article says the NSA can read them: U.S. and U.K. spies crack BlackBerry BES encryption, report says - Computerworld Is there a more secure alternative? How can I prevent the NSA from reading my communications?

    So basically how secure is my phone and BBM? How can I make these more secure?
    10-23-13 11:35 PM
  2. Branta's Avatar
    Your phone sounds to be pretty secure, the easiest way of getting into it would be to hit your most loved family member with a big stick until you disclose the password. At a practical level without your device password it is unlikely the content could be extracted and the encryption would still make it unreadable.

    BBM and other communications which have left your phone are a different matter. Unless you are using a secure encryption algorithm for data traffic you should assume any message may be read by law enforcement and national security authorities in any state through which it passes in transit.
    Pete The Penguin likes this.
    10-24-13 10:57 AM
  3. Joshua Vince's Avatar
    Is BBM secure enough? Or is there a different app that has better security for instant messaging?
    10-26-13 08:30 PM
  4. thurask's Avatar
    To my knowledge, while the average individual hacker type would have a hard time getting into BB10 and the device-BBRY server connection for BBM (cf. Black Hat 2013: Black Hat 2013 session on BlackBerry 10 security fails to offer anything interesting | CrackBerry.com), governments wouldn't have the same problem (I believe Angela Merkel has a Z10...), especially if they do something like the Indian government and require BBRY to allow them to snoop on BBM.

    Although, as Branta has said, a $5 wrench can trump even the tightest of cryptographic security methods if applied to the right person's kneecaps.

    How to make my BB10 more secure?-security.png
    10-26-13 08:39 PM
  5. Richard Buckley's Avatar
    If you want that level of communications security you need to implement a BES. But even that will only get you security between the device and the BES (and other devices on the BES).

    If you want really secure chat, look for an application that supports the Off The Record protocol.

    http://en.m.wikipedia.org/wiki/Off-the-Record_Messaging

    Posted via CB10
    10-26-13 09:45 PM
  6. Branta's Avatar
    Is BBM secure enough? Or is there a different app that has better security for instant messaging?
    There are no fully secure IM systems in general availability. The weak point is that they all pass through a third party server, and AFAIK none of the generally available apps offer the choice of encryption methods and secure/unique passwords. They were designed for social chat, not secure message handling. The only one which used to be secure was old style Skype in peer-peer mode, before Microsoft neutered the encryption and routed everything through known nodes.

    I'll explain again. If you need to keep law enforcement and government surveillance out of your messaging you need to be using a fully secure end-to-end encryption (e.g. PGP for email) with keys you and the recipient have generated yourselves and exchanged in a secure manner. None of the default encryption provided on any stock consumer grade smartphone will prevent officially sanctioned snooping. All the ISPs, networks and other Service Providers (BlackBerry, Google, Apple, ...etc) will disclose everything they have on record when the court order (search warrant or whatever you call it where you live) is served. They don't have a choice, either comply or the business gets shut down and those who fail to comply have an uncomfortable interview with a Judge.

    As far as hacking and commercial level snooping are concerned your BlackBerry is generally secure enough if you stick to the principles of Safe Computing. That's things like no cracked software, no downloads from untrusted sources, no dodgy web browsing. In any case it would be extremely difficult to intercept specific BBM messages at most stages while in transit, the really vulnerable points are between your device and your network's internet gateway, the same link at the recipient side, and the BlackBerry NOC. These are the only stages where it is reasonably certain the packets will be passed over an easily identified link. For the internet hops between these points the routing is less predictable and may change from one second to another. It is also prohibitively expensive to attempt to tap the fiber and microwave links which form the internet backbone.
    Pete The Penguin likes this.
    10-27-13 06:49 PM
  7. PorcinusMaximus's Avatar
    I have encryption turned on with a secure passphrase. My phone never leaves my person without locking it first. Therefore, I see no need to use Blackberry Protect. But how secure is this? Could a skilled hacker get into my phone? Could the NSA get into my phone? What if they fail 10 times and reset my phone - could they still recover my data somehow?
    On BBOS there are two ways to gain access to a password locked BlackBerry's data. The first method involves disassembling the BlackBerry in a forensics lab, removing the memory chip, and accessing the data directly from the chip. If you encrypt the data, the investigator will end up with the encrypted data and still be faced with the task of trying to decrypt the data. That's when the strength of the encryption and strength/length of the password you used will have a direct bearing on the investigator's ability to decrypt your data.

    The second method (on BBOS) involves exploiting a media card vulnerability. Russian company Elcomsoft has made a password cracker which can extrapolate a BBOS BlackBerry's password by attacking a file on the media card. The only way that exploit will work is if the BlackBerry user used the media card encryption mode that does not use a device key. If a device key is used, the media card exploit software won't work.

    As for BB10, I would hope device security is at least as good as that of a BBOS BlackBerry. As I understand it, the media card vulnerability does not exist on BB10, because a device key is always used during media card encryption.

    The one method of attack that will not work a against a BlackBerry is the plug-in UFED device, made by Cellebrite, that police departments and other investigators use to download data from a target's phone. The device somehow circumvents a phone's password and accesses data directly from the phone's hardware. This device does not work against a password locked BlackBerry, but it will work against a whole gamut of competing platforms' phones.
    10-27-13 07:25 PM
  8. gariac's Avatar
    I have been leaving my media card unencrypted, as per the Elcomsoft notice that went out I think two years ago. I haven't read where BB10 is immune to that hack.

    I have my doubts about the NSA cracking BES. I recall at one of the meetings in the UK, they had to get the targets to download an app. It goes without saying that apps are the best vectors for the NSA.

    BBM is encrypted, but the key is essentially global. Correct me if I am wrong, but excluding man in the middle attacks, it should be secure from anyone that can't intercept the data. I have to assume the Blackberry servers have encryption as well. If that is the case, BBM is secure unless blackberry hands over the key. But if there is a way to intercept the data, it will be easily cracked. Basically cracking could be as simple as spoofing YOUR PIN on a BlackBerry.

    Posted via CB10
    10-27-13 08:08 PM
  9. PorcinusMaximus's Avatar
    I have been leaving my media card unencrypted, as per the Elcomsoft notice that went out I think two years ago. I haven't read where BB10 is immune to that hack.
    If you're on BBOS, there's no need to leave your card unencrypted. If you want to encrypt your card just make sure you don't use the "Device Password" ("Security Password" prior to BlackBerry 6) mode of media card encryption. Use one of the other two modes. But be sure to back up your media card data to your computer or elsewhere, as you won't be able to view/access your encrypted media card files in another BlackBerry or on your computer if your device fails. The Elcomsoft attack only works against a media card that has been encrypted using the "Device Password" mode of encryption option available on BBOS. BB10 clearly does not have this mode, because it warns the user to decrypt media card files before trying to view them elsewhere.
    10-27-13 08:42 PM
  10. Gearheadaddy's Avatar
    I recently got a Q10 and I think it's great. However, I am wondering: how secure is this phone? How can I make it more secure? I study computer security as a hobby and I like to put it into practice with my devices.

    I have encryption turned on with a secure passphrase. My phone never leaves my person without locking it first. Therefore, I see no need to use Blackberry Protect. But how secure is this? Could a skilled hacker get into my phone? Could the NSA get into my phone? What if they fail 10 times and reset my phone - could they still recover my data somehow?

    Also, how secure is BBM on Blackberry 10? I expect my carrier to be able to read my texts and listen to phone calls, but can they read my BBM messages? Could a hacker read them? This article says the NSA can read them: U.S. and U.K. spies crack BlackBerry BES encryption, report says - Computerworld Is there a more secure alternative? How can I prevent the NSA from reading my communications?

    So basically how secure is my phone and BBM? How can I make these more secure?
    BlackBerry wasn't hacked. BlackBerry gave the NSA PERMISSION to access the phones.

    Trusted Member Genius
    10-28-13 01:31 AM
  11. gariac's Avatar
    I believe BlackBerry only gave India the ability to read BlackBerry data. They set up separate servers for India to allow this.

    I have not read about BlackBerry doing the same foe the UK.

    Posted via CB10
    10-29-13 12:47 AM
  12. rthonpm's Avatar
    It's a fool's errand to try managing all of your communication in a manner that won't be intercepted by someone. Even if it's not the NSA, your communication will pass through a third party server or other infrastructure monitored by some intelligence service. Unless you're building your own network with no connection to the outside world there is always a chance that someone somewhere will intercept your communications.

    For the most part even then it's just going into a heap with everything else waiting to be analyzed. Unless you turn out to be a head of state or other potential target your data isn't worth much to the intelligence services. It's not as if they have the time or money to listen or read every piece of data they collect in real time.



    Posted via CB10
    10-30-13 03:57 AM
  13. gariac's Avatar
    It's a fool's errand to try managing all of your communication in a manner that won't be intercepted by someone. Even if it's not the NSA, your communication will pass through a third party server or other infrastructure monitored by some intelligence service. Unless you're building your own network with no connection to the outside world there is always a chance that someone somewhere will intercept your communications.





    Posted via CB10
    End to end encryption takes the man in the middle out of the equation. GPG, VPN, etc.

    With encryption, the three letter agencies can only store it and hope to decrypt it some day, or break into your house and steal the crypto keys. They can also fool you into downloading a PC virus or an app with a virus on your phone, but leaving fingerprints on a black bag job is poor trade craft.

    Posted via CB10
    rthonpm likes this.
    10-30-13 10:00 PM

Similar Threads

  1. Unable to Delete My WhatsApp Account from Q10
    By TZRick in forum BlackBerry 10 Apps
    Replies: 12
    Last Post: 06-19-16, 08:05 PM
  2. Got additional small update to 2.2.0.1753
    By yohannyphm in forum BlackBerry PlayBook OS
    Replies: 11
    Last Post: 10-26-13, 12:00 PM
  3. International shipping US to Canada
    By khehl in forum Rehab & Off-Topic Lounge
    Replies: 7
    Last Post: 10-25-13, 01:58 AM
  4. It's time to Capitalize on Samsung's misfortune in China!!!
    By ayandakeith in forum General BlackBerry Discussion
    Replies: 6
    Last Post: 10-24-13, 07:24 AM
LINK TO POST COPIED TO CLIPBOARD